Hi, we’re deploying our devices behind a strictly controlled, firewalled network and the network team had asked us for the ports/hostnames we needed them to open for our Raspberry 3 devices running the latest version of balenaOS (managed via balenaCloud).
We gave them the following configuration (after going through balena network and security docs):
Hostnames: *.balena-cloud.com, *.docker.com, *.docker.io
Ports: UDP 53, UDP 123 and TCP 443
Direction: Unidirectional (from device to internet)
I can confirm that this access has been given. However, the device still doesn’t appear ‘Online’ on our balenaCloud dashboard.
The IT team has also informed us that the configuration we’ve given is not correct since the device is still making requests to other IP addresses and ports (one real IP it was making requests to: 34.237.229.125 being accesed by open VPN).
Can somebody from the balena team please provide an exhaustive list of ports/IP addresses my balenaCloud device will be accessing so I can pass on the same to our client’s network team?
The IP you mention is one of the IP addresses our VPN server resolves to. You may check with dig vpn.balena-cloud.com or nslookup vpn.balena-cloud.com.
There is not any IP list that we can provide, as IP addresses may change eventually, but the hostnames will be the same. We establish connections by hostname in our code.
You are probably facing a problem because of the wildcards. Does your firewall support DNS packet parsing for refreshing its IP/hostname mapping data structures?
so I just spoke to the IT team and they informed me that they were having problems because of the wildcard entry. They do not have any issues whitelisting vpn.balena-cloud.com or any other specific hostnames.
Would it be possible to give them a list of hostnames so I can connect to my balenaCloud device from behind the corporate firewall?
We are currently providing only wildcard domain rules as we do not have control over the docker.io and docker.com subdomains. Those are used for upgrading supervisor and the OS and are essential features.
We are discussing this right now and will get back with more information on this soon.
For posting the subdomains here I will need internal confirmation, as I am not sure we would like to lock people out of updates (since others will read this page if they face issues with firewalls).
Please let me know if those subdomains can be shared with me. It’d be really helpful for me since this is a corporate client and we’ve already deployed our devices there to find out now that they have such strict firewall restrictions.
@majorz because I am facing the same Issue with the configuration of my Firewall Policies and I haven´t found the list of the subdomains.
So I would be pleased if you could help me out here as well.
Thanks for the fast reply, the problem is that our firewall can`t handle Wildcard Domains. So the only solution i can find is implementing a proxy server which would cause additional cost to us.
Do you have another solution?
Unfortunately not. This is something we are currently debating internally.
The list of subdomains can and do occasionally change (and are also dynamic, for example the use of UUIDs as part of the domain), so if you’re not able to handle wildcarded domains then I believe the only guaranteed solution at the moment is that of a proxy server.